search

oneclick / rubyinstaller.org-website

Jekyll based rubyinstaller.org website
https://rubyinstaller.org
13 stars 45 forks source link

Compromised subdomain #26

Closed n0samu closed 1 year ago

n0samu commented 1 year ago

Hello, I am a contributor to the Ruffle project, and while remediating a compromise of an unused subdomain of our website, we found that your project's website had been compromised by the same threat actor. Below I will explain the details of the issue and how you can resolve it.

A subdomain of your project website has been compromised and is displaying a spam advertisement for an Indonesian gambling service. The compromised URL is "direct.rubyinstaller.org". The attack was possible because these three conditions were met:

  1. You have a DNS entry for the domain "direct.rubyinstaller.org" pointing to GitHub Pages.
  2. You do not have a GitHub Pages repository with a CNAME file pointing to that domain.
  3. You do not have verification set up for GitHub Pages: https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages

Because your domain's DNS entry points to GitHub Pages, but you do not have verification set up, an attacker was able to claim your custom domain by simply creating a GitHub Pages repository and adding a CNAME file within it pointing to your domain. The GitHub Docs page I linked above explains it this way:

When you verify your custom domain for your personal account or organization, only repositories owned by your personal account or organization may be used to publish a GitHub Pages site to the verified custom domain or the domain's immediate subdomains.

Verifying your domain stops other GitHub users from taking over your custom domain and using it to publish their own GitHub Pages site. Domain takeovers can happen when you delete your repository, when your billing plan is downgraded, or after any other change which unlinks the custom domain or disables GitHub Pages while the domain remains configured for GitHub Pages and is not verified.

So there are two steps you should take immediately:

  1. Remove the DNS entries for any unused subdomains of your website pointing to GitHub Pages, including the DNS entry for "direct.rubyinstaller.org".
  2. Set up verification for GitHub Pages by following the instructions in the GitHub Docs page I linked above. Here is the link again: https://docs.github.com/en/pages/configuring-a-custom-domain-for-your-github-pages-site/verifying-your-custom-domain-for-github-pages

Once again, I found this issue with your site because we at the Ruffle project were facing the exact same compromise, and were able to take the steps above to resolve it. Let me know if I can be of any further assistance!

larskanis commented 1 year ago

@n0samu Thank you very much for providing all these details and proposed solution!

@luislavena You're the owner of the domain - can you check this issue and do the changes?

luislavena commented 1 year ago

Hello @n0samu, thank your for all the details! I took care of validating the domain and removing the obsolete DNS records. Seems these records were left overs of the old website.

I've also validated the domain in GitHub, it should be good now.

Thank you again @n0samu and thank you @larskanis for the fast response!

❤️ ❤️ ❤️

larskanis commented 1 year ago

@luislavena Great! Thank you very much for fixing this issue! The subdomain is no longer available, so it seems to have worked.

@n0samu I learned about the Ruffle project that way and convinced my web-co-workers that flash is coming back! Thank you!

n0samu commented 1 year ago

Happy to help! And I'm glad you all like Ruffle 😃